Zoho domains central to keylogger, data theft campaigns worldwide

Updated: The Indian online office suite is reportedly being abused on a massive scale to exfiltrate data from compromised machines.
Written by Charlie Osborne, Contributing Writer on

Researchers have uncovered a keylogger phishing campaign which abuses Zoho in order to spread and exfiltrate data from victim devices.

On Tuesday, security researchers from Cofense said that Zoho, a web-based office suite and email provider, is being abused by phishers and fraudsters on a massive scale.

The Indian company's domain was suspended briefly in September, the researchers said in a blog post. This was due to an "insufficient response" to the reported abuse.

Zoho's registrar, TierraNet, took down the domain, seemingly surprising Zoho with the move -- to the point that the company took to Twitter to plead for help in resuming service.


CNET: UK retailer Superdrug warns 20,000 customers of possible data theft

At the time of the suspension, Zoho CEO Sridhar Vembu said:

"There were a total of 3 complaints in 2 months and we took action on 2 of them immediately and one is pending investigation. We serve 40 million users. 3 complaints in 2 months."

TierraNet's abrupt blockade of the service not only impacted Zoho itself but millions of customers in one fell swoop. Zoho's CEO outlined plans for the company to "be a domain registrar ourselves" to prevent the situation from happening again.

Now restored, Zoho services are once again being used for keylogger-based phishing campaigns, Cofense says.

The software platform's email address service, on both zoho.com and zoho.eu domains, is being exploited in 40 percent of phishing campaigns in which email "is the primary exfiltration vehicle."


Other victim domains include outlook.com, yandex.com, and gmail.com.

"The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements -- optional 2FA (not enforced), activity monitoring, etc. -- combine with user susceptibility to create fertile ground," the researchers say.

Keyloggers are defined as malware families which have been given the capability to monitor keystrokes and input from Human Interface Devices (HIDs). The malware may also be able to conduct clipboard monitoring and screen capture.

When a compromised PC is used by an individual to access their email account, for example, the malware is able to record the keys pressed on a keyboard.

Many forms of keylogger, including Agent Tesla and Hawkeye, are given bolt-on stealer capabilities and are distributed as part of wider malware packages or exploit kits. Information compromised by the malicious code may then be sent to the malware's command-and-control (C2) server, controlled by an attacker, who can then use the data to access the account.

TechRepublic: 8 steps to take within 48 hours of a data breach

Zoho may account for over a third of the email addresses used, but the company is not the only email service provider being targeted.

See also: FBI forces Apple iPhone X owner to unlock device through Face ID

In August, Cofense revealed the existence of a campaign spreading the Geodo malware, a banking Trojan, which leveraged stolen credentials from platforms including Gmail, Outlook.com, Yandex, and Yahoo.

Update 18.39BST: Vijay Sundaram, Chief Strategy Officer at Zoho told ZDNet:

"Unfortunately phishing has become one of the bad side-effects of Zoho's rapid growth over the last couple of years, especially the growth of our mail service. Since Zoho Mail offers the most generous free accounts as part of our freemium strategy, this gets exacerbated as more malicious actors take advantage of this massive customer value. But we are clamping down on this heavily and I quickly wanted to share what we have done and will be doing.

The first step is to examine all accounts, especially free ones since this is where most of the abuse appears to be happening. We are now mandating verification using mobile numbers for all accounts, including free ones (which also helps in two-factor authentication for accounts). We are actively looking at suspicious login patterns, and blocking such users, particularly for outgoing SMTP.

The second step is around improving and tightening our policies for all users. There are other heuristic methods and algorithms we are exploring and testing before we deploy at scale that we will not discuss in any detail, for all the right reasons."

Simple steps to erase your digital footprint

Previous and related coverage

Editorial standards